Lastline Defender and Analyst Hosted Release Notes

Version 2020.1

New Features

  • Evidence sidebar for file downloads
  • KnowledgeBase Feature Deprecation
  • Update to suricata 5.0.1 upstream
  • Removal of Lastline CheckPoint Integration
  • Display detected threats stats in portal
  • Added support for NTA rules matching on geoip properties
  • Add host tag filter to alert suppression
  • Baseline outlier anomaly sidebar
  • Support for Bulk Host Tagging

EVIDENCE SIDEBAR FOR FILE DOWNLOADS

Lastline introduces new set of capabilities to describe evidence for malicious file based threats. When a security analyst clicks on the evidence label additional information and report for the file analysis will be displayed including description of the threat, threat scores of various behaviors observed during analysis, etc.

This new feature was tracked internally as FEAT-4585

KNOWLEDGEBASE FEATURE DEPRECATION

The following KnowledgeBase features are now deprecated:

  • To improve performance, the KnowledgeBase clustering service is discontinued. This only changes some Intelligence search capabilities: the clustering tab is no longer available and you cannot search by cluster. Static clustering-based detection remains operational.
  • All strings remain indexed across the entire process space. You retain the ability to search by string independently of location using the existing top-level keyword. However you can no longer search for strings by sub-key location (heap, stack, memory block or executable section).
  • The KnowledgeBase no longer provides the analysis subject location within its search results. In the Intelligence page, under the Report tab, the subjects column is removed from the table of results.

This was tracked internally as FEAT-5083

UPDATE TO SURICATA 5.0.1 UPSTREAM

The sensor IDS service has been updated to Suricata 5.0.1. This includes a number of performance and stability improvements. A full list of changes can be found on the Suricata website: https://suricata-ids.org/2019/12/13/suricata-5-0-1-released/

This new feature was tracked internally as FEAT-4958

REMOVAL OF LASTLINE CHECKPOINT INTEGRATION

Lastline's integration with the Check Point firewall has been removed in this release. The Check Point VPN-1 firewall product the Lastline integration supports is no longer supported by Check Point. Please contact technical support if you have questions regarding this integration

This was tracked internally as FEAT-5225

DISPLAY DETECTED THREATS STATS IN PORTAL

Lastline has introduced new visualization in the events view that provides event counts by threat class and supports drill-down to specific threats within the threat class. With this new visualization, security analysts can more easily triage specific events of interest and also get an aggregated count of events across various threat classes.

This new feature was tracked internally as FEAT-5148

ADDED SUPPORT FOR NTA RULES MATCHING ON GEOIP PROPERTIES

It is now possible to write NTA rules matching on the geoip location of src or dst IPs. The properties geoip_src and geoip_dst have been added to NTA records: they can be used to match records whose src_ip and dst_ip property respectively is geolocated in the specified country. For example, the rule netflow.geoip_dst:RU matches on netflow records where the destination IP is located in Russia.

This new feature was tracked internally as FEAT-4928

ADD HOST TAG FILTER TO ALERT SUPPRESSION

Alert suppression now supports specifying additional criteria based on host tags. With this functionality, security analysts can suppress events for example to hosts tagged as "public domain guest machine" or any such host tag that is relevant for that network

This new feature was tracked internally as FEAT-4902

BASELINE OUTLIER ANOMALY SIDEBAR

Lastline introduces new set of capabilities to describe evidence for anomaly detection based threats. When a security analyst clicks on the evidence label additional information on anomaly detection will be displayed including description of the anomaly and visualization of the data that caused the anomaly.

This new feature was tracked internally as FEAT-4892

SUPPORT FOR BULK HOST TAGGING

Security analysts can now provide the same host tag for multiple hosts from the listing page. Additionally, security analysts can also update existing tags or delete these tags for multiple hosts with a single operation

This new feature was tracked internally as FEAT-4714

Detection Improvements

  • FEAT-4855: Improved coverage of MITRE ATT&CK Tactics and Techniques in Lastline Sandbox.
  • TRES-935: Improved phishing document prefilters.
  • TRES-890: Improved detection of office phishing documents.
  • TRES-1166: Improved detection of malicious URLs in documents.
  • TRES-901: Improved More_eggs backdoor detection.
  • TRES-547: Reduced false positives on benign files that were affected by privilege escalation signatures.
  • TRES-1234: Improved detection on phishing pages pretending to be Microsoft login.

Bug Fixes and Improvements

  • FEAT-5066: NTA records displayed in Kibana are now enriched with the hostname of internal source and destination IPs, if available. Notice that this enrichment requires that sensors are configured to resolve hostnames (the relevant setting is in the "Detection and Blocking" page).
  • SENT-2673: Fixed an issue that could cause the sniffer service to crash under certain packet tunneling configurations.
  • USER-4077: An API error occurred in the Mail Messages Log view of the portal for emails that don't have detections. The issue has been fixed by suppressing the unintended API call.
  • PLTF-1305: Fixed an issue where mail permissions were not being respected across customer licenses.
  • SENT-2667: Improvement to one of the file extraction rules associated to the extraction of .img files out of sniffing sensors. The file extraction rule now works around common FPs that would cause the sensor to needlessly process large amounts of unrelated filetypes.
  • SENT-2643: Fixed an issue where particularly nested chains of email forwards could cause unreasonable processing slowdowns to our mail processing.
  • PLTF-1242: Fixed an issue where filtering the host list view sometimes would return inconsistent results.
  • FEAT-5217: The Lastline Analyst API now contains any errors found during a sandbox dynamic analysis when all the sandbox analysis runs have failed. This is intended to aid troubleshooting when submissions are not able to be analyzed.
  • FEAT-5165: Additional protocol identifiers for tagging application level protocol types in netflow NTA data. The improvement includes identifiers for modbus, SOCKS, and RPC interactions.

Deprecation of API Methods

The Lastline API documentation includes a deprecation schedule for deprecated Lastline API methods, as well as information on how to replace usage of these deprecated methods with supported methods.

Released Appliance Versions

As part of this release, we are making available the following versions of Lastline appliances for use with Lastline Enterprise Hosted:

Lastline Sensor version 1150

Lastline Supported Browsers

With this release, we will support the current versions of Google Chrome, Apple Safari and Microsoft Edge for Windows. Support for issues identified with versions of Internet Explorer, as well as any other unlisted browsers, will be based upon best effort, however, identified bugs will only be addressed with currently supported browsers.

2020.0 2020.2